I’ve promised you in the beginner tutorial that you can skip awsconfigure before using AWSCLI on EC2. Here is how. The initial configuration takes a few steps, but once it’s done your overall workflow will be simplified quite a bit.

“Y” is generally some AWS resources, like EC2 or S3. In the most common case, “X” is a specific user. You can create multiple users under a single AWS account (an “account” is tied to a single credit card); each user can have its unique ID, password, and permissions. This is useful for managing a research group, but not quite useful if you are the only user.

The Researcher’s Handbook has very detailed instructions on how to set up multiple users (called “IAM users”), so I will not repeat it here. You, the account owner, are also encouraged to create an IAM user for yourself, instead of using the root AWS account to log in (as you’ve been doing till now). This is again for security reasons. An IAM user will never have access to the billing information and your credit card number, even if that user has the most powerful “AdministratorAccess” which is almost equivalent to root access.

Note

Yes, there are just so many “security best practices” on AWS (Key Pairs, security groups, IAM users…), and their benefits are not intuitive to researchers who really just want to get the computing done and publish papers. But please do check out those security stuff when you have time.

To further complicate things, “X” doesn’t have to be a human user, but can also be a AWS resource. This is what we want to do here – grant S3 access to our EC2 instances, i.e.

“X” = our EC2 instances

“Y” = S3 buckets

“Y” can also be as detailed as “read-only access to S3” (so, no write access) or even “read-only access to a specific S3 bucket” (so, no access to other buckets). All those possible combinations make the IAM console kind of daunting for beginners. Fortunately, here we only need to enable a simple permission rule, which is very easy to do.

Whenever you launch a new EC2 instance, in “Step 3: Configure Instance Details”, select the IAM role you created previously for the “IAM role” option.

No need to touch other options on this page and just launch as usual. On this EC2 instance, you don’t need to run awsconfigure, and commands like awss3ls will just work (as long as AWSCLI is installed). This is actually a better practice since you never type your security credentials on this server (which might be stolen if your server gets hacked).